Microsoft may not be Linux's best friend. But over the years, it changes that attitude.
Among them, for example, Microsoft has launched its own version of Linux-based cross-platform OS, and has also become a sponsor for The Open Source Initiative.
Its love for Linux is only getting deeper, when Microsoft Research has announced a free cloud-based malware detection service called 'Project Freta'.
What it does, is detecting rootkits, cryptominers, and previously undetected malware in Linux cloud virtual machine (VM) images.
Mike Walker, Senior Director of New Security Ventures at Microsoft, said that, “Project Freta is a roadmap toward trusted sensing for the cloud that can allow enterprises to engage in regular, complete discovery sweeps for undetected malware,” in a blog post released by the company.
Project Freta relies on “sensors,” which are certain activities happening on a system based on a dataset of snapshots.
This is to predict the presence of a malware strand. However, this model is not efficient because the datasets collect cyberattacks that happened in the past. As malware creators are improvising tremendously, they can certainly evade these kind of predictive, sensor-based technologies.
To address the issue, the datasets are instead used by these so-called "sensors" to scan VMs in order to learn about new environments and how they are affected by malware. And this is done before Project Freta uses its knowledge to spot emerging threats.
In other words, Project Freta solves the issue by reversing the dataset to inspect each VM image's volatile memory.
The larger the dataset snapshots it can gain information from, the better is should become in learning malware behavior.
It should be noted that Project Freta does not focus on lowest-resourced attackers that can be easily spotted by existing sensors. Instead, Project Freta aims to stop highly-resourced attackers by automatically fingerprinting and analyzing snapshots of thousands of Linux cloud VMs.
“Project Freta was designed and built with survivor bias at its core. It is a security project designed from first principles to drive the cost of sensor evasion as high as possible and, in many cases, render evasion technically infeasible,” continues Microsoft on its blog post.
Project Freta is based on four sensing tenets:
- Detect a sensor is present before it installs itself in the environment.
- Hide from the sensor as long as the program is within the monitoring view of the sensor.
- Burn itself, as in erasing or modifying itself upon detecting a sensor is present.
- Sabotage the sensor so that it cannot acquire the malicious program.
If these four properties can be guaranteed in infrastructure, even the stealthiest of malware can be spotted.
“What would happen if a commercial cloud could guarantee the capture of malware, no matter how expensive or exotic, in volatile memory? Producers of stealthy malware would then be locked into an expensive cycle of complete re-invention, rendering such a cloud an unsuitable place for cyberattacks. This is the future we wish to realize,” added Walker.
The key benefits of using Microsoft Freta include:
- The ability to detect novel malicious software, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots.
- Easy to use. Users just need to submit a captured image to generate a report of its content.
- Memory inspection means no software to install, no notice to malware to evacuate or destroy data.
- Designed for automating discovery tasks directly into the cloud.
What's more, Microsoft also provides an API for Project Freta, meaning that users can upload VM snapshots in bulk. Microsoft has also released Project Freta's source code to GitHub.
At the moment of its introduction, Project Freta supports over 4,000 kernel versions. and is only available for Linux images.
Microsoft plans to also add support for Windows and AI-based decision-making in the future.